[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6411) Possible bug in Overlay pPolicy



--0016367f92e6a19d180479d1aa27
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Attached to the configuration file server testing openldap squeeze.

I made some changes to the file /etc/ldap/slapd.overlay.conf being
included by /etc/ldap/slapd.conf and discovered that the problem is
with the overlay rwm, because when I comment that overlay the problem
does not appear.

If I keep the following entries rwm overlay the problem happen again:

moduleload rwm
overlay rwm

Even with the other settings overlay rwm commented the problem continues.

Any ideas?


2009/12/2 Howard Chu <hyc@symas.com>:
> jarbas.junior@gmail.com wrote:
>>
>> Full_Name: Jarbas Peixoto Junior
>> Version: 2.4.11 / 2.4.17 / 2.4.20
>> OS: Gnu/Linux Debian
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (200.152.34.143)
>>
>>
>> Possible bug in Overlay pPolicy
>>
>> I have OpenLDAP installed via the Debian Lenny package functioning
>> normally.
>>
>> Aiming to test the version of Debian Squeeze in the test machine install=
ed
>> package slapd (2.4.17-2.1) with the same set of Debian Lenny (2.4.11).
>>
>> However, when testing the overlay pPolicy noticed that a wrong password
>> authentication, runs all objects in the ldap database, causing a "delay"
>> that
>> does not exist in version Lenny.
>>
>> Below is some information that may be useful in detecting the problem:
>>
>> File: slapd.conf
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>> moduleload =A0 =A0 =A0ppolicy
>> overlay ppolicy
>> ppolicy_default
>> "cn=3Ddefault,ou=3DLdapPassword,ou=3DPoliticas,ou=3DBuiltin,dc=3Dprevide=
ncia,dc=3Dgov,dc=3Dbr"
>> ppolicy_use_lockout
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>>
>> ldapsearch -LLL -x -H ldap://squeeze -b
>> ou=3DLdapPassword,ou=3DPoliticas,ou=3DBuiltin,dc=3Dprevidencia,dc=3Dgov,=
dc=3Dbr
>> '(cn=3Ddefault)'
>> dn:
>> cn=3Ddefault,ou=3DLdapPassword,ou=3DPoliticas,ou=3DBuiltin,dc=3Dpreviden=
cia,dc=3Dgov,d
>> =A0c=3Dbr
>> objectClass: top
>> objectClass: device
>> objectClass: pwdPolicy
>> pwdAttribute: userPassword
>> description::
>> UG9sw610aWNhIGRlIFNlbmhhIERlZmF1bHQgcGFyYSB0b2RvcyB1c3XDoXJpb3M=3D
>> pwdAllowUserChange: TRUE
>> pwdFailureCountInterval: 3600
>> pwdGraceAuthNLimit: 5
>> pwdInHistory: 0
>> pwdLockoutDuration: 60
>> pwdMaxAge: 7776000
>> pwdMinAge: 0
>> pwdMinLength: 6
>> pwdSafeModify: FALSE
>> pwdCheckQuality: 1
>> pwdExpireWarning: 600
>> cn: default
>> pwdMustChange: FALSE
>> pwdMaxFailure: 10
>> pwdLockout: FALSE
>>
>> date ; ldapsearch -LLL -x -H ldap://squeeze -b
>> ou=3Dusuarios,dc=3Dprevidencia,dc=3Dgov,dc=3Dbr -D
>> uid=3Djarbas.peixoto,ou=3Dpessoas,ou=3Dusuarios,dc=3Dprevidencia,dc=3Dgo=
v,dc=3Dbr -w
>> wrong-password '(uid=3Djarbas.peixoto)' cn mail pwdFailureTime
>> pwdAccountLockedTime modifyTimeStamp ; date
>> Qua Dez =A02 16:14:56 AMST 2009
>> ldap_bind: Invalid credentials (49)
>> Qua Dez =A02 16:15:36 AMST 2009
>>
>> grep 'access_allowed: search access to' /var/log/debug | wc -l
>> 83714
>>
>> The question is: why access all entries in LDAP?
>
> Don't know. This would have to be the result of a search operation, but
> there is no search code in ppolicy.c. Since ppolicy cannot be the culprit=
,
> we'll need to see the rest of your config to track down the issue.
>
> --
> =A0-- Howard Chu
> =A0CTO, Symas Corp. =A0 =A0 =A0 =A0 =A0 http://www.symas.com
> =A0Director, Highland Sun =A0 =A0 http://highlandsun.com/hyc/
> =A0Chief Architect, OpenLDAP =A0http://www.openldap.org/project/
>

--0016367f92e6a19d180479d1aa27
Content-Type: application/x-gzip; name="ldap-squeeze.tgz"
Content-Disposition: attachment; filename="ldap-squeeze.tgz"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_g2rgwh8a1

H4sIAISmF0sAA+1aW28bxxXWK/dXDCgjIhNSInVLakBAGUpKhFKXiLJjN06N4e6QnHh3Zz2zK4lu
+hP6H5r2IciDn4K+9JV/rN+ZvZDUxVEQKgWKPZDBuZ4558y5ztr4PPLWXRUOVx4NWoDdVmultb2z
s9napn4bf3Ycv+32p7sr7fZWa+fTzS1qt9o7ra3NFdZ6PJJmkJiYa8ZWvuN6wM16JOS1itXtdfsq
4DJkz4zQ5veg63eCVdbRbxN5qZ6yDRG7G77How1TKIWz6qyyAxNrHk9/GknOPMGO5Ujz6Y/Tfynm
KYN/gQwlGl/L0FNXhkVcc9YjPH0eDPhTYNj7DeCkFAg2/YkpxlNqiQ6iT46SnJZIy9CVEfdBEbMc
UCNI/Fg2Aw4EuvniBXA9F99xNuOwtlNPKVYDLGG4ZMNkOFQ6ILz/FmYdMnBWV9m+1CKWl9ywL3w1
wDIMLgWIwX0xhBDTA4m3vjsWAWcCVH0n3Ljrc2Mc8OcnmMxh7sLs8g1XabGeth+y2MiwWL76i+tD
aR6MWw/dza3Wp4NfsQW0xEqPIpiXCh+86y3uy09gkw/eEY2j0RV3XZWE8a/bBG2JufvwTYa0/8Gr
vUk40iqJHk5TpHzpTvL1UKJMaTzOzrS4lJ6APXBWi9A55rFuMGqdyDhtdKNhgwFp/ZeP8pXL/bmD
TkOsFiae/sDslHzHYWoz41yLpLdWmKGD3lD6c/gvud7QSZj6mczbYBGh7kn4Y7IArkdJIMIYjuVt
IpixJg4r4ORzUoNluHewqbSDxWb+iDtPoEV0xMn0/aXw6QxfjRjEBJfRZJfkFqz1i2DRPTirWOcL
2pMBSIwNw4HkMbjrO3cvoBkncxzTn7WEiHLBgRmwEUx/9hKffKgMp/8MJEzSCRSGRMTjcWUjMXrD
lwN7F4TpOF/PiXXQ6XKtxYhEku3zFfcqA+6+eT32BlaeaqSGQ+sufQlxCvJuHH6MThWRktbdtHcY
nHhCwq5ttVrAPkrgzA10w/Ph9QKhkphhhlB+lfAwlh7HPk2yI9xRsjZ3T0ksrU7w7KYQGMR16qad
WCm/GY+x0zOVbau2ImbxWLAwCQaQpxqybJrFin22zlgPNyeyQXbJ/cQy4aJrbBSIwZdUIVDx0GOh
iqUrB/6EySCCvTK4FOvOQ1c4+cGVz3Dyb4lKc/GJOKAwFE5/5FCki15/o9/vsdoFhkykdMx6Vjf6
wk20jCcbtgEfr9w3AmrS4xOh6w72dTtdoWM5lC6PxSHp85wpGn/DxazZ6Haa1ECqEthND9gSBDRw
37Y/ickdOxFPLzGZ730jJvnW50LL4aRr9Ylx31dXNkAekRux9w+NiBXdfqfbW16YLELUzUQF3lwY
k+YrdBpJOs0JDkyE5ntiM9XEz2EaIrSZQSwjxWAlT5dF4KozSLFXKqnxfYgSeyrb5zEfkBavtpgb
7qUZzVNWO7/oPmXnSdi8gOk1u3miQ1peXx65jpcfnx7sOFqp2AsZq4IY7sElNAqqqnYyumLsr/3+
l52/vbDJVL9/SAbb3vyMKc1GMC5yiXAqiMke2a9JdT29ImzAUIHSMZlFMANT9cXrARzFHnD9Stm1
mefuRbOQ10B3pC7pZ6CXJq45eWX3yzrMEgCV9Aof75hkOJTXlUr1A0RVrR+NPbsXVqStr4RDD0RA
WLjjckRbI9+JyiYVSXcthw5P34eedMX8Tjjw62qxu5qqPei1rnyGdddiBVoMuG8YAgFs+WosQrgq
zXa33zBilg0mFDGucElwsrhibMhCBYbHRDMskK76aiyBifYqF5dK0VGb2LHYLfLK7nZlx7r7BA45
Mcn0B4qIYCKXaqZ9kBw05JiHfCR044NCTDWyUik08kWRnVCQTLMRG+A8mzZkkXcoDVSJkgtKMwL+
ToQ2hNIlukhCJ5WqTSDy0LtRtf5t+ncrbMNCQcps6Sfvxjo+oqVhtJTOyJWV8hTl4WqsSWR7PTlE
5CZevDQCw1/gTxEeW9MESKNAe4TcLitA2BAUBmSjBsUMZ9N/pGpns4Jl6bYN0chc5uqNRiK9ExuT
G6OiBTXDD2ayVkNdhUJXxNsCA82ZsEGJOfZdijCEqBueNJHPJydoVypY3jDJoNji4tItpOMNHkVa
XafTFZtG94/2G7aRluGEJu1/QTnzxSTKulhHGWRBT8Vm7p003bfL5gf6SNMSY88taPGED6L15BhX
1+Dz6xoqaagGkM/WV4jLDqWByKlEx/M0FMOyfqj0FdfI60bZ6MIhAu5OTYTIhFpk6HmCnuXni5Sl
qyBVavRJb9INp3QDtrUvfGSDME277z6VTV2CmYQupHyJjOVc5NoG44AG2jmNwYxJ8jiTbv+kYRvP
nh3tZ5d1M+xDceeL8qyWPX1+cN7rvFxeInBfHqBwb9CxIhFYzEj6L0+65wdnvYx/JCgQRV5BCIpN
HSrvQ1vJrM2/G6w9fgqTS/whSczN8LdJEfVYhTJWy4x2s4IirWlsVRFkxxSRMB9w0ghP8d1D+Z4M
Yi3EXnVGWdXJi6PBhH1MlQPqvf/t21cJKyu3LWf5Z9j33+3te95/W7tbm5vZ+y89/G6ttNq7O+1W
+f77e8AH3n8X3Oky3oGX50bh//Kogvj14OYSX2xXbTw5Oz99Dvy2eqF80j5KJVTzC0rTrFeH+3uX
iYmEyyJBLzgQ8aVYHkE3nXUe3Z3sEmcDeaM5S80ZrBH/ZlMGnhylJj2PtW2VsMrOzk57R92Xi8zS
+47yp+9jhCYb6o0Ix2llstTk9CZ32dNnwVzez35fe2LIEb9tIZG1kbztkS6eIbG9Utqj/hlWW9Kp
83kiEfHDDxcc+QGobl/7yn2jkthK5/zg8OjkYkE2kKsY6fyZLE/6fWsqIw0debzL1/QxIS6kk3XT
n9c8jrUc2PotzeDziVDFY6Sr7MHVl2X86+Ob+h/wSNjiymZdnfQ0yjpB4ezF9tF4vwpyxivUhtv6
kg8kLppoW9OCallxEI5kKNYcrGguDFVUaB9aCx6sWh9CNXTaPBMG7tLw+a1deoK8jsEc1+740D4L
51ikPTah9/AavY8ivRbTH3lg82xfxJSJixHmrbTC6X8CgZOyT1Jri3XCAr3nYJtVa+sf11+9qmH/
Xu0b3nzXaf75229azT98+wmG6zRbZdUn7doior0nm/UnW5h5Wr2PzpgsOUAditrY3KLr/k8Kv0Tj
HbR9X3yhILpqGcaiDaTUvpvgm+Xd3miNKS2TMHsgEdcRFV8qp1sZeW1LxvvpvI1ygdq5Anlvhq7+
ZLOgrkfvzozPCnbvLkKTuwl9OFnJPFlzx8/dZihxlcfWytcyCQRZD1XfYTf7Rnf/lc0hwN39pX7z
6lJs96rTXdVxQQjm1hjMys1Krj/OeZr1gU6XLQzC92DiXmrvOm2vtv5J/QbmRQ6wCfTfcc7dLLlh
zsDci0Z+lTYLYvE4odp8ILV3L62vXn2fUWwpBEnowvHOOvbphJDPjZm5BXUUVNXaR7CeBY0EG2f2
E2r91vhRaOLbo3145Nuj9IhSrwN5Jp86Efdkq16b45r69Xouo1X27OToq2cH0KwR5EOxQDAokJuG
QPqilz6TqSSrvXkeGh4hGFRS1S1iYNZNf16nr7YfeDPO1s3HSsjBcnl8cPz5wfnpIfgMwKUICj5y
4zodrjGOfsDj/JnxMThMD1PDgsdiIG807QflpnKZbZwO6dbMbDptNBE6s0zA/jeHlye9o/4F2Nuf
hDyQrv0kyxa+QTwGO94k9HFQwU3ez36bdBdGxAusMJ8PhC+8Z+dHBQvlm0IJJZRQQgkllFBCCSWU
UEIJJZRQQgkllFBCCSWUUEIJJZRQQgkllFBCCSWUUEIJJZRQQgn/x/Bfxxv0fABQAAA=
--0016367f92e6a19d180479d1aa27--